sw/source/filter/html/htmlctxt.cxx | 24 +++++++++++++++---------
sw/source/filter/html/htmlgrin.cxx | 10 +---------
sw/source/filter/html/htmlplug.cxx | 2 ++
sw/source/filter/html/swhtml.hxx | 2 ++
4 files changed, 20 insertions(+), 18 deletions(-)
New commits:
commit b9d61186a5054cfc0b0b1c71683f3ae2d50920cf
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sun May 4 19:09:06 2025 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon May 5 20:17:55 2025 +0200
ofz#415407112 Null-dereference
and
ofz#415525036 Heap-use-after-free
Change-Id: I37349284bb27a8b0a2085e3af99dbdb9ce6983d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/184942
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Tested-by: Jenkins
diff --git a/sw/source/filter/html/htmlctxt.cxx
b/sw/source/filter/html/htmlctxt.cxx
index 480ebbd72165..e77e449adf6d 100644
--- a/sw/source/filter/html/htmlctxt.cxx
+++ b/sw/source/filter/html/htmlctxt.cxx
@@ -466,6 +466,20 @@ void SwHTMLParser::ClearContext( HTMLAttrContext *pContext
)
StartListing();
}
+//static
+void SwHTMLParser::SanitizeAnchor(SfxItemSet& rFrameItemSet)
+{
+ const SwFormatAnchor& rAnch = rFrameItemSet.Get(RES_ANCHOR);
+ if (SwNode* pAnchorNode = rAnch.GetAnchorNode())
+ {
+ if (pAnchorNode->IsEndNode())
+ {
+ SAL_WARN("sw.html", "Invalid EndNode Anchor");
+ rFrameItemSet.ClearItem(RES_ANCHOR);
+ }
+ }
+}
+
bool SwHTMLParser::DoPositioning( SfxItemSet &rItemSet,
SvxCSS1PropertyInfo &rPropInfo,
HTMLAttrContext *pContext )
@@ -494,15 +508,7 @@ bool SwHTMLParser::DoPositioning( SfxItemSet &rItemSet,
HtmlFrameFormatFlags::Box|HtmlFrameFormatFlags::Padding|HtmlFrameFormatFlags::Background|HtmlFrameFormatFlags::Direction,
aFrameItemSet );
- const SwFormatAnchor& rAnch = aFrameItemSet.Get(RES_ANCHOR);
- if (SwNode* pAnchorNode = rAnch.GetAnchorNode())
- {
- if (pAnchorNode->IsEndNode())
- {
- SAL_WARN("sw.html", "Invalid EndNode Anchor");
- aFrameItemSet.ClearItem(RES_ANCHOR);
- }
- }
+ SanitizeAnchor(aFrameItemSet);
InsertFlyFrame(aFrameItemSet, pContext, UIName(rPropInfo.m_aId));
pContext->SetPopStack( true );
diff --git a/sw/source/filter/html/htmlgrin.cxx
b/sw/source/filter/html/htmlgrin.cxx
index 23afb49dbac9..7e2f4480cf67 100644
--- a/sw/source/filter/html/htmlgrin.cxx
+++ b/sw/source/filter/html/htmlgrin.cxx
@@ -829,15 +829,7 @@ IMAGE_SETEVENT:
if (eNodeType != SwNodeType::Text && eNodeType != SwNodeType::Table)
return;
- const SwFormatAnchor& rAnch = aFrameSet.Get(RES_ANCHOR);
- if (SwNode* pAnchorNode = rAnch.GetAnchorNode())
- {
- if (pAnchorNode->IsEndNode())
- {
- SAL_WARN("sw.html", "Invalid EndNode Anchor");
- aFrameSet.ClearItem(RES_ANCHOR);
- }
- }
+ SanitizeAnchor(aFrameSet);
// passing empty sGrfNm here, means we don't want the graphic to be linked
SwFrameFormat *const pFlyFormat =
diff --git a/sw/source/filter/html/htmlplug.cxx
b/sw/source/filter/html/htmlplug.cxx
index d2089ee3d411..b68b3afd75a9 100644
--- a/sw/source/filter/html/htmlplug.cxx
+++ b/sw/source/filter/html/htmlplug.cxx
@@ -1163,6 +1163,8 @@ void SwHTMLParser::InsertFloatingFrame()
SetFixSize( aSize, aDfltSz, bPercentWidth, bPercentHeight, aPropInfo,
aFrameSet );
SetSpace( aSpace, aItemSet, aPropInfo, aFrameSet );
+ SanitizeAnchor(aFrameSet);
+
// and insert into the document
SwFrameFormat* pFlyFormat =
m_xDoc->getIDocumentContentOperations().InsertEmbObject(*m_pPam,
diff --git a/sw/source/filter/html/swhtml.hxx b/sw/source/filter/html/swhtml.hxx
index 54dec5b744a1..205208980100 100644
--- a/sw/source/filter/html/swhtml.hxx
+++ b/sw/source/filter/html/swhtml.hxx
@@ -956,6 +956,8 @@ public:
/// Strips query and fragment from a URL path if base URL is a file:// one.
static OUString StripQueryFromPath(std::u16string_view rBase, const
OUString& rPath);
+
+ static void SanitizeAnchor(SfxItemSet& rFrameItemSet);
};
struct SwPendingData
